Security policy

Convert a USB Thumb Drive into a ROBAM

What’s a ROBAM? you ask. Check out this post: Protecting Your Business from Online Banking Fraud. SANS says, “The number one recommended mitigation [to online banking fraud caused by infostealer infections] is to use a read-only bootable alternative media (ROBAM) as an isolated environment for financial transactions.”

You can use a USB thumb drive instead of a CD if you do the following:

1. Download your alternative Linux OS choice (I prefer Ubuntu or Knoppix) in .iso format
2. Download UNetbootin from http://unetbootin.sourceforge.net/
3. Create a bootable USB thumb drive using UNetbootin
4. Set the properties of the drive to “read only”

This should have the same effect as using a Linux live CD.

I haven’t tried this, so comments welcome.

Security Maxims of a Different Breed

Search for “computer security maxims” on any of the top three search engines (Google, Yahoo, Bing) and my articles mostly dominate the results. So I was quite surprised that Security Now Episode #215, entitled “Security Maxims,” gave no mention whatsoever of my contributions to this subject over the past three years. Guess I’ll have to take that up with Steve and Leo. To be fair about it, though, the maxims that Steve talked about in the episode, composed by Roger G. Johnston, Ph.D., CPP of Argonne National Laboratory, Nuclear Engineering Division, are related to “…physical security and nuclear safeguards.” However, according to Johnston, “They probably also have considerable applicability to cyber security.” Many of them are also amusing.

Take this one for instance:

So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

Or this one:

Schneier’s Maxim #1 (Don’t Wet Your Pants Maxim): The more excited people are about a given security technology, the less they understand (1) that technology and (2) their own security problems.
Comment: From security guru Bruce Schneier.

How about this?

Byrne’s Law: In any electrical circuit, appliances and wiring will burn out to protect the fuses.

In all, there are more than 60 maxims listed. You can download a PDF of “Security Maxims” if you want to see more. I highly recommend you read them. You may learn something new. Like I did.

Now, I’m out of here. Have to go fire off an email to Steve and Leo…

Comments? Let me know what you think.

10 Immutable Laws of Security Administration

My last post on this subject discussed the 10 Immutable Laws of Security. This one takes the next step–also a Microsoft “archived” essay, but still relevant today. These are so self-evident that I’m not even going to burden you with my thoughts. Print this out and hang it where you can see it as a constant reminder these are the 10 Immutable Laws of Security Administration:

Law #1: Nobody believes anything bad can happen to them, until it does
Law #2: Security only works if the secure way also happens to be the easy way
Law #3: If you don’t keep up with security fixes, your network won’t be yours for long
Law #4: It doesn’t do much good to install security fixes on a computer that was never secured to begin with
Law #5: Eternal vigilance is the price of security
Law #6: There really is someone out there trying to guess your passwords
Law #7: The most secure network is a well-administered one
Law #8: The difficulty of defending a network is directly proportional to its complexity
Law #9: Security isn’t about risk avoidance; it’s about risk management
Law #10: Technology is not a panacea

10 Immutable Laws of Security

I search the web constantly for security-related news and content. One day last month, I came across a series of articles on TechNet buried in the archive. Microsoft prefaces the articles with this statement: “Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.” Well, I find the content interesting and relevant, certainly worthy of bringing to your attention. Here are the 10 Immutable Laws of Security according to Microsoft with my comments included:

“Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore“

We tend to take the programs and utilities we run for granted. We trust them to work as advertised and not harm our systems or corrupt our data. What we often don’t consider is that our computer is being controlled by the programs it’s running and those in control of it are the programmers who wrote the software. This isn’t a problem with normal software since we tell it when to run, what data to manipulate, and when to quit; we are able to exercise a measure of control. We still “own” our computer. With malware, “To run or not to run, that is the question” and those are our only two options.

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

As in #1, there’s a degree of trust that the operating system is doing what it’s supposed to be doing. If the OS is altered by a bad guy, then it’s doing his bidding, not yours.

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

Physical security isn’t complicated. My Security Maxim #8 covers it admirably.

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

That’s an understatement. Not only is it not your website anymore, but you’ve just become an unwitting accomplice in whatever havoc the bad guy wreaks. There is no reason in the world to allow anyone to upload programs to your website before you have the chance to vet them.

Law #5: Weak passwords trump strong security

I am reminded of a friend who was baffled when he discovered that his PC was part of a P2P network being used to transfer pirated music. He couldn’t understand why his firewall “quit working” suddenly (he had P2P blocked on his router). Long story short, his teenage son had guessed the router password and changed the configuration. Heed my advice and make your passwords unguessable.

Law #6: A computer is only as secure as the administrator is trustworthy

If you can’t trust the admin, you can’t trust the PC. The administrator can install anything he wants.

Law #7: Encrypted data is only as secure as the decryption key

Make sure that your decryption key is kept in a secure place, not on your computer. It’s best to memorize it, but if you can’t, store it on a memory card and put it in your wallet. Make two copies and keep one in some other physically secure place. The first place the bad guy is going to look is on the hard drive.

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

Out-of-date malware scanners of any kind won’t protect you against the inevitable new variants that come along.

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

As it says in the article: “All human interaction involves exchanging data of some kind. If someone weaves enough of that data together, they can identify you.”

Law #10: Technology is not a panacea

No matter how sophisticated the hardware and software become, they’ll never replace common sense and sound security policies and practices.